b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Should Further Connect the\n       National Program Manager\n       Process With Federal Guidance\n       on Internal Control Risks\n       Report No. 11-P-0067\n\n       January 18, 2011\n\x0cReport Contributors:                             Patrick Gilbride\n                                                 Erin Barnes-Weaver\n                                                 Karen L. Hamilton\n                                                 Mary Anne Strasser\n                                                 Stephanie Wake\n\n\n\n\nAbbreviations\n\nEPA          U.S. Environmental Protection Agency\nFMFIA        Federal Managers\xe2\x80\x99 Financial Integrity Act\nFY           Fiscal year\nGAO          U.S. Government Accountability Office\nGPRA         Government Performance and Results Act of 1993\nNPM          National program manager\nOCFO         Office of the Chief Financial Officer\nOCSPP        Office of Chemical Safety and Pollution Prevention\nOMB          Office of Management and Budget\nOW           Office of Water\nPAR          Performance and Accountability Report\n\x0c                       U.S. Environmental Protection Agency \t                                               11-P-0067\n                                                                                                      January 18, 2011\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                            Catalyst for Improving the Environment\n\n\nWhy We Did This Review\n                                  EPA Should Further Connect the National\n                                  Program Manager Process With Federal\nWe conducted this review to       Guidance on Internal Control Risks\ndetermine how EPA\xe2\x80\x99s national\nprogram manager (NPM)             What We Found\nprocess relates to the internal\ncontrol framework under the       EPA has not fully integrated FMFIA and the NPM processes. Activities conducted\nFederal Managers\xe2\x80\x99 Financial       per the NPM process support internal controls; however, EPA\xe2\x80\x99s Office of the\nIntegrity Act (FMFIA). We         Chief Financial Officer did not connect these processes until midway through\ndetermined whether the U.S.       fiscal year 2009 (in supplemental guidance) and in fiscal year 2010 guidance, and\nEnvironmental Protection          integration efforts are still in their infancy. NPMs already conduct many activities\nAgency (EPA) should               related to internal control, yet national program offices have separate processes\nimprove connections between       and staff responsible for each process. Having national program offices primarily\nthe two processes and whether     responsible for internal controls over national programs would streamline\nNPMs and regions coordinate       reporting and lessen confusion among staff involved in both processes.\nprogram management and\naddress risks and                 NPMs have not linked assessing and evaluating relevant risks associated with\nvulnerabilities.                  achieving program objectives to internal control requirements. FMFIA requires\n                                  managers to define program goals and identify key programs, complete a risk\nBackground                        assessment based on their priorities, and then establish controls to mitigate\n                                  identified program risks. National program offices and regions do not appear to\nFMFIA requires federal            completely understand the risk assessment internal control standard and how to\nagency managers to annually       apply it to program operations. Without consistently conducting risk assessments,\nevaluate and indicate whether     EPA lacks a sound, documented basis for reasonably assuring that programs\ntheir agencies\xe2\x80\x99 internal          implement effective internal controls consistent with federal internal control\ncontrols comply with              standards. Additional training on risk assessment, including how to identify\nprescribed standards. NPM         weaknesses, determining how to manage risks, and how to conduct necessary\nguidance sets forth goals and     internal control reviews, should improve program management.\nprogram priorities to support\ncompliance with the               What We Recommend\nGovernment Performance and\nResults Act of 1993.              We recommend that the Chief Financial Officer assign NPMs primary\n                                  responsibility for FMFIA reporting on internal controls for national programs and\nFor further information,          rely on the lead regional coordinator process for input from the regions, and direct\ncontact our Office of             regional personnel to report on administrative and financial internal control\nCongressional, Public Affairs     activities along with unique geographic and programmatic issues in regional\nand Management at\n(202) 566-2391.                   assurance letters. We also recommend that the Chief Financial Officer develop a\n                                  training course on FMFIA and enhance the FMFIA intranet site by providing\nTo view the full report,          links to risk assessment guidance and completed products that offices could use as\nclick on the following link:      best practices. The Agency agreed with our recommendations and began taking\nwww.epa.gov/oig/reports/2011/\n20110118-11-P-0067.pdf\n                                  steps to address them.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                               THE INSPECTOR GENERAL\n\n\n\n\n                                         January 18, 2011\n\nMEMORANDUM\n\nSUBJECT:\t              EPA Should Further Connect the National Program Manager Process\n                       With Federal Guidance on Internal Control Risks\n                       Report No. 11-P-0067\n\n\nFROM:\t                 Arthur A. Elkins, Jr.\n                       Inspector General\n\nTO:                    Barbara J. Bennett\n                       Chief Financial Officer\n\n\nThe U.S. Environmental Protection Agency (EPA) Office of Inspector General issued this report\non the subject audit. This report contains findings that describe problems we identified and\ncorrective actions we recommend. This report represents our opinion and does not necessarily\nrepresent the final EPA position. EPA managers will make final determinations on matters in this\nreport in accordance with established audit resolution procedures.\n\nThe estimated cost of this report, calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time, is $472,472.\n\nAction Required\n\nOn November 22, 2010, your office provided comments to our report, and we discussed your\nplanned corrective actions and milestone dates on December 15, 2010. We believe your planned\ncorrective actions address the intent of each of our recommendations. As such, we plan to close\nthis assignment upon issuance of this final report. We have no objections to the further release of\nthis report to the public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact Melissa Heist,\nAssistant Inspector General for Audit, at (202) 566-0899 or heist.melissa@epa.gov; or\nPatrick Gilbride, Director for Audit, Risk and Program Performance Issues, at (303) 312-6969\nor gilbride.patrick@epa.gov.\n\x0cEPA Should Further Connect the National Program Manager                                                                     11-P-0067\nProcess With Federal Guidance on Internal Control Risks\n\n\n                                  Table of Contents \n\n\nChapters \n\n   1    Introduction .......................................................................................................       1         \n\n\n                Purpose .......................................................................................................    1             \n\n                Background .................................................................................................       1             \n\n                Noteworthy Achievements...........................................................................                 4             \n\n                Scope and Methodology..............................................................................                5             \n\n\n   2    FMFIA and NPM Processes Not Integrated......................................................                               6         \n\n\n                FMFIA and NPM Processes Have Common Elements ...............................                                       6\n\n                Program Office Interpretations Vary on Degree of Integration ....................                                  8\n\n                Regional Personnel Unclear on Assurance Letter Content .........................                                   9\n\n                Conclusion...................................................................................................     10             \n\n                Recommendations ......................................................................................            10             \n\n                Agency Comments and OIG Evaluation......................................................                          10 \n\n\n   3    Risk Assessment Internal Control Standard ..................................................                              12\n\n\n                Risk Assessments Not Informing Program Reviews ...................................                                12 \n\n                Conclusion...................................................................................................     14             \n\n                Recommendations ......................................................................................            15             \n\n                Agency Comments and OIG Evaluation......................................................                          15 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                        16     \n\n\n\n\nAppendices \n\n   A    Details on Scope and Methodology..................................................................                        17     \n\n\n   B    Agency Response to Draft Report....................................................................                       20     \n\n\n   C    Distribution .........................................................................................................    23     \n\n\x0c                                             Chapter 1\n\n                                             Introduction\nPurpose\n                  The U.S. Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) national program managers\n                  (NPMs) develop annual guidance documents to define program priorities,\n                  strategies, and performance measures in accordance with the Agency\xe2\x80\x99s strategic\n                  plan, annual plan and budget, and the Administrator\xe2\x80\x99s priorities. We conducted\n                  this review to determine how the NPM process relates to the internal control\n                  framework under the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), and\n                  whether the Agency should improve connections between the two processes. We\n                  also determined whether NPMs and regional personnel coordinate program\n                  management and whether this coordination addresses program risks and\n                  vulnerabilities.\n\nBackground\n                  EPA annually issues the Performance and Accountability Report (PAR)1 to\n                  describe to the President, Congress, and the public the Agency\xe2\x80\x99s environmental\n                  program and financial performance during the fiscal year. The PAR also describes\n                  progress in addressing management issues and accountability systems and\n                  controls. The annual PAR satisfies a number of legislative reporting requirements,\n                  including those of the Government Performance and Results Act of 1993 (GPRA)\n                  and FMFIA. EPA\xe2\x80\x99s Office of the Chief Financial Officer (OCFO) develops,\n                  manages, and supports a goals-based management system for the Agency, which\n                  includes preparing EPA\xe2\x80\x99s strategic plan, annual budget and performance plan, and\n                  the PAR. OCFO initiates both the FMFIA and NPM processes by providing\n                  annual guidance to EPA managers. OCFO also reports results from each process,\n                  such as information from FMFIA assurance statements and NPM performance\n                  results, in the Agency\xe2\x80\x99s annual PAR.\n\n                  National Program Manager Process\n\n                  GPRA requires the PARs, strategic plans, and annual performance plans to\n                  facilitate results-oriented management. GPRA also requires agencies to clarify\n                  their missions, set strategic and annual performance goals, and measure and report\n                  on performance toward these goals. NPMs for each of EPA\xe2\x80\x99s five national\n\n1\n Effective for the fiscal year 2010 reporting period, EPA now uses an alternate reporting approach to the PAR. The\nAgency financial report summarizes EPA\xe2\x80\x99s financial results and presents its audited financial statements, and the\nannual performance report presents detailed performance results as measured against targets established in EPA\xe2\x80\x99s\nannual plan and budget. For the purposes of our report, we will refer to the PAR, as it was the reporting approach in\nplace during the time we conducted our audit.\n\n\n11-P-0067                                                                                                        1\n\x0c            program offices issue annual guidance documents to initiate program planning\n            and establish a relationship among annual operational measures, EPA\xe2\x80\x99s annual\n            budget, and long-term strategic goals. NPMs establish national goals for their\n            respective programs and then evaluate and adjust national priorities as new data\n            on emerging environmental issues become available. EPA uses this process that\n            NPMs undertake while developing their guidance documents (hereafter referred\n            to as the \xe2\x80\x9cNPM process\xe2\x80\x9d) to support compliance with GPRA requirements. NPM\n            annual guidance focuses on three areas:\n\n               1.\t Developing NPM priorities, strategies, and associated measures\n               2.\t Reporting results for prior year performance commitments\n               3.\t Negotiating agreements for performance commitments\n\n            NPMs establish these priorities, strategies, measures, and commitments through a\n            process of coordination and negotiation with regional personnel. EPA adopted a\n            methodology in 1984 to provide regions an organized, consistent, and effective\n            role in all major phases of Agency decisionmaking through lead regional\n            coordinators. Lead regional coordinators act as conduits between the regional\n            personnel and the NPMs to ensure ongoing regional input to EPA\xe2\x80\x99s national\n            program offices. Lead regional coordinators consolidate information from\n            regional personnel on priorities, emerging issues, weaknesses, and other issues for\n            NPMs to consider during their process and for national program offices\xe2\x80\x99 FMFIA\n            assurance letters.\n\n            OCFO issues technical guidance for national program offices to follow as they\n            prepare annual NPM guidance on Agency priorities. OCFO\xe2\x80\x99s Technical Guidance\n            on FY 2010 National Program Manager Guidance and Annual Commitment\n            Process in Measures Central requires managers to establish program priorities\n            and performance measures in support of GPRA requirements and serves as an\n            overall program management tool. This NPM process aims to support Agency\n            program management and decisionmaking by:\n\n               \xe2\x80\xa2\t Improving the quality, consistency, and reliability of measures and related\n                  data and reporting\n               \xe2\x80\xa2\t Analyzing progress toward results in midyear reporting to aid in \n\n                  negotiating draft performance commitments \n\n               \xe2\x80\xa2\t Engaging with state and tribal partners and stakeholders\n\n            EPA\xe2\x80\x99s Management Integrity Process\n\n            FMFIA requires federal agency managers to establish internal accounting and\n            administrative controls in accordance with standards prescribed by the U.S.\n            Government Accountability Office (GAO) in Standards for Internal Control in\n            the Federal Government. FMFIA also requires federal agency managers to\n            annually evaluate their compliance with GAO\xe2\x80\x99s standards and issue a statement of\n            full compliance or noncompliance with FMFIA (an \xe2\x80\x9cassurance letter\xe2\x80\x9d). If the\n\n\n11-P-0067                                                                                  2\n\x0c            Administrator determines that the Agency has not fully complied with GAO\xe2\x80\x99s\n            standards, the Administrator must report internal weaknesses and a corresponding\n            corrective action plan in the Administrator\xe2\x80\x99s assurance statement.\n\n            Office of Management and Budget (OMB) Circular A-123 describes federal\n            managers\xe2\x80\x99 responsibilities for internal control and provides guidance to meet\n            FMFIA requirements. The circular states that internal control should be \xe2\x80\x9can\n            integral part of the entire cycle of planning, budgeting, management, accounting,\n            and auditing\xe2\x80\x9d and \xe2\x80\x9cprovide continual feedback to management.\xe2\x80\x9d It also advises\n            agencies to combine their FMFIA reporting efforts with other ongoing efforts to\n            improve effectiveness and accountability.\n\n            GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government provide an\n            overall framework for establishing and maintaining internal control and for\n            identifying and addressing major performance and management challenges and\n            areas at greatest risk of fraud, waste, abuse, and mismanagement (table 1).\n\n            Table 1: GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                                   This standard establishes and maintains an environment throughout\n                                   the organization that sets a positive and supporting attitude toward\n                 Control\n                                   internal control and conscientious management. Internal control and\n               environment\n                                   conscientious management includes establishing goals, objectives,\n                                   and performance measures at both the entity and activity levels.\n                                   A precondition to risk assessment is the establishment of clear,\n                                   consistent agency objectives. The internal control risk assessment\n                                   process includes assessing risks the agency faces from both internal\n                   Risk\n                                   and external sources. Management should comprehensively identify\n                assessment\n                                   risks and should consider all significant interactions between the entity\n                                   and other parties, as well as internal factors at both the entity and\n                                   activity levels.\n                                   Control activities are the policies, procedures, techniques, and\n                                   mechanisms that implement management\xe2\x80\x99s direction to achieving\n             Control activities    goals. Internal control activities help ensure that management\xe2\x80\x99s\n                                   directives are carried out.\n                                   This standard includes data and information (performance and\n             Information and       financial) to determine whether the organization meets its goals and\n             communications        objectives and maintains accountability over resources.\n                                   Internal control monitoring should assess the quality of performance\n                Monitoring         over time and ensure that audits and other review findings are\n                                   promptly resolved.\n            Source: OIG summary of GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government,\n            GAO/AIMD-00-21.3.1, November 1999.\n\n            According to OMB Circular A-123, risk assessment forms the foundation of any\n            effective system of internal controls. Risk assessment includes identifying and\n            analyzing relevant risks associated with achieving goals and objectives, such as\n            those defined in strategic and annual performance plans developed under GPRA.\n            After an organization identifies significant areas of risk, it should develop control\n\n\n11-P-0067                                                                                            3\n\x0c            activities to minimize or eliminate those risks. Risk analysis generally includes\n            estimating the risk\xe2\x80\x99s significance, assessing the likelihood of its occurrence, and\n            deciding how to manage the risk and what actions to take.\n\n            OCFO initiates the FMFIA reporting process by providing annual guidance to\n            EPA managers. OCFO\xe2\x80\x99s FMFIA guidance specifies coordination and\n            communication between NPMs and regional offices. New for fiscal year (FY)\n            2010, OCFO issued the guidance in two parts: the first part focused on financial\n            activities and the second part focused on program operations. OCFO intended the\n            second part to achieve more systematic and rigorous reviews of internal controls\n            over program operations and establish clear regional and national program roles\n            and responsibilities for reviewing controls and sharing information between\n            offices.\n\nNoteworthy Achievements\n            OCFO has taken a number of steps to improve EPA\xe2\x80\x99s management integrity\n            program. In FY 2010, OCFO issued separate FMFIA guidance for financial and\n            program operations. The program guidance addressed how to conduct internal\n            control reviews over program operations, and also clarified responsibilities\n            between program offices and regions. In addition, OCFO hired a contractor in\n            FY 2009 to conduct FMFIA program compliance reviews in a sample of offices\n            to determine necessary changes to improve FMFIA implementation. OCFO\n            completed additional reviews in FY 2010 in Regions 9 and 10, and will continue\n            these reviews on a rotating basis as part of OCFO\xe2\x80\x99s oversight of the management\n            integrity program.\n\n            OCFO has also made efforts to show the relationship between the NPM process\n            and FMFIA by cross-referencing them in each guidance document. The FY 2010\n            FMFIA program guidance mentions the NPM process, while the FY 2011\n            Technical Guidance on the NPM Guidance mentions the FMFIA process for the\n            first time. OCFO\xe2\x80\x99s Technical Guidance on FY 2012 National Program Manager\n            Guidance and Annual Commitment Process notes that annual NPM guidance\n            documents serve as an important internal control for Agency programmatic\n            operations because the documents set forth program priorities and key actions for\n            the upcoming year. OCFO also encouraged NPMs to discuss their annual program\n            guidance as a key internal control in preparing FY 2011 annual letters of\n            assurance to the Administrator. National program offices and regions in our scope\n            acknowledged connections between the two processes and have taken initial steps\n            to integrate them.\n\n            Finally, we observed strong communication and coordination between national\n            program offices and regions. They establish national program priorities through\n            an inclusive process involving states, tribes, and other stakeholders.\n\n\n\n\n11-P-0067                                                                                    4\n\x0cScope and Methodology\n            We conducted this audit in accordance with generally accepted government\n            auditing standards. Those standards require that we plan and perform the review\n            to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n            findings and conclusions based on our review objectives. We believe that the\n            evidence obtained provides a reasonable basis for our findings and conclusions\n            based on our review objectives.\n\n            We focused our review on FMFIA and NPM process implementation by the\n            Office of Water (OW), Office of Chemical Safety and Pollution Prevention\n            (OCSPP), and Regions 5 and 9; we also reviewed Regions 3 and 6 because they\n            house, respectively, the OW and OCSPP lead regional coordinators. We also\n            focused our review on guidance provided by OCFO to EPA managers.\n\n            We reviewed OCFO\xe2\x80\x99s FMFIA guidance for FYs 2008, 2009, and 2010, and\n            OCFO\xe2\x80\x99s Technical Guidance on the National Program Manager Guidance and\n            Annual Commitment Process in Measures Central for FYs 2010, 2011, and 2012.\n            We also reviewed FMFIA assurance letters for FYs 2008 and 2009 for OW,\n            OCSPP, and Regions 3, 5, 6, and 9; NPM guidance documents for FYs 2008,\n            2009, and 2010; and program review strategies for FY 2010.\n\n            We interviewed OCFO, OW, OCSPP, regional, and other EPA personnel to\n            understand, document, and analyze EPA\xe2\x80\x99s FMFIA and NPM processes and\n            coordination between national program offices and regions.\n\n            We are issuing this report to bring to the Agency\xe2\x80\x99s attention findings that could\n            influence FMFIA and NPM reporting in FY 2011.\n\n            Appendix A provides additional information on our scope and methodology.\n\n\n\n\n11-P-0067                                                                                   5\n\x0c                                   Chapter 2\n            FMFIA and NPM Processes Not Integrated\n             The Agency has not fully integrated FMFIA into the NPM process. FMFIA\n             requires federal agency managers to assess financial and programmatic\n             operations, establish controls, and ensure those controls are effective. NPM\n             guidance sets forth goals and program priorities to support compliance with\n             GPRA and align Agency long-term strategic goals and annual budgetary decisions\n             with detailed implementation instructions. Activities conducted per the NPM\n             process support internal controls. EPA has made efforts to improve management\n             integrity implementation for program operations and is currently working to\n             clarify links between the two processes. However, OCFO has segregated\n             information that offices should use in both processes and integration efforts are in\n             their infancy. Having national program offices primarily responsible for internal\n             controls over national programs would streamline reporting and lessen confusion\n             among staff involved in both processes.\n\nFMFIA and NPM Processes Have Common Elements\n             OMB Circular A-123 provides guidance to federal managers on implementing\n             FMFIA to improve the accountability and effectiveness of federal programs and\n             operations by establishing, assessing, and reporting on internal control. The\n             circular states, \xe2\x80\x9cthe requirements of FMFIA serve as an umbrella under which\n             other reviews, evaluations and audits should be coordinated and considered to\n             support management\xe2\x80\x99s assertion about the effectiveness of internal control.\xe2\x80\x9d The\n             circular lists a number of statutory requirements and government-wide initiatives,\n             including GPRA, which should be considered as part of an agency\xe2\x80\x99s internal\n             control framework and should be integrated to meet the requirements of FMFIA.\n             Internal control is a major part of successful agency management and comprises\n             the plans, methods, and procedures used by an agency to meet its mission, goals,\n             and objectives. OMB Circular A-123 states that by incorporating internal control\n             into its planning and implementation activities, an agency fulfills federal\n             expectations for performance-based management.\n\n             EPA establishes and communicates goals and priorities through the NPM process\n             to support GPRA compliance. Functional statements note how national program\n             offices have responsibility for EPA\xe2\x80\x99s program integrity and performance:\n\n                \xe2\x80\xa2\t OW: The Assistant Administrator for Water serves as principal advisor to\n                   the Administrator and provides Agency-wide policy, guidance, and\n                   direction for the Agency\xe2\x80\x99s water programs. Primary responsibilities\n                   include evaluating regional activities.\n\n\n\n\n11-P-0067                                                                                    6\n\x0c                         \xe2\x80\xa2\t OCSPP: The Assistant Administrator for Chemical Safety and Pollution\n                            Prevention is responsible for establishing Agency strategies and\n                            developing and operating Agency programs and policies for assessment\n                            and control of pesticides and toxic substances. Responsibilities include\n                            monitoring, evaluating, and assessing program operations in EPA\n                            headquarters and regional offices.\n\n                    While organizationally regional personnel report to Regional Administrators,\n                    regional personnel are accountable to national program offices for negotiating\n                    performance commitments and reporting performance results. Regional personnel\n                    raise emerging issues to national program offices at periodic NPM planning\n                    meetings. Regional personnel also provide FMFIA input to national program\n                    offices through the lead regional coordinator process. Thus, NPMs manage national\n                    programs and oversee regional programs through these existing mechanisms.\n\n                    Our review found that NPMs already conduct many of the steps outlined in\n                    OCFO\xe2\x80\x99s FY 2010 FMFIA guidance as shown in bold text and checkmarks in\n                    table 2. Table 2 also notes internal control standards to which OCFO\xe2\x80\x99s guidance\n                    steps pertain.\n\nTable 2: FY 2010 FMFIA guidance outline and related internal control standards\n          Internal control                                                                                                  NPM\n  Step        standard                                     Task                                                           activities\n I. ESTABLISH A FOUNDATION FOR INTERNAL CONTROL REVIEWS\n    1           Control\n              environment          Identify key programs and operations.\n                                   Develop a Program Review Strategy for each key program and\n                                   operation. Among other things, the strategy will identify potential risks\n    2            All GAO           associated with the program; rank the risks; and outline the internal\n                standards          controls (e.g. policies, procedures, or measures) in place to\n                                   mitigate the risks.\n                                   Prepare a Multiyear Plan for reviewing internal controls over program\n                                   operations. Based on risk levels assigned, prepare a Multiyear Plan that\n    3       Control activities     establishes priorities for assessing the internal controls over\n                                   programmatic operations.\n II. CONDUCT FY 2010 REVIEWS\n    1       Control activities     Conduct reviews, testing, or monitoring activities planned for FY\n             and monitoring        2010.\n    2       Control activities     Determine corrective actions.\n            Information and\n    3       communication          Document your findings.\n III. REPORT FY 2010 FINDINGS\n              Monitoring and       Provide status updates for midyear Management Integrity Report and\n    1        information and       the Agency \xe2\x80\x9cUpdate\xe2\x80\x9d meeting.\n             communication\n             Information and       Develop FY 2010 assurance letter to the Administrator.\n    2        communication\n             Information and\n    3        communication         Prepare for end-of-year \xe2\x80\x9cDecision Meeting.\xe2\x80\x9d\nSource: OIG analysis of an outline provided by OCFO\xe2\x80\x99s associate staff director for accountability within the Office of Planning,\nAnalysis, and Accountability, on June 30, 2010.\n\n\n\n\n11-P-0067                                                                                                                          7\n\x0c            Table 2 illustrates how the NPM process relates to the FMFIA process, and how\n            information from one process can inform the other. However, EPA has not fully\n            integrated FMFIA into the NPM process. OCFO\xe2\x80\x99s guidance documents only\n            recently referenced each process. OCFO has reoriented its FMFIA process to\n            include program operations, and OCFO, national program offices, and regional\n            personnel considered FY 2010 a building year in which to clarify links between\n            the two processes.\n\nProgram Office Interpretations Vary on Degree of Integration\n            While NPMs, management integrity advisors, regional personnel and planners,\n            and OCFO acknowledged links between the two processes, we found variations in\n            the extent to which regions and offices understand the relationship between the\n            FMFIA and NPM processes and confusion as to what to report. OW managers\n            have different views as to the linkages between the two processes\xe2\x80\x94one saw no\n            link, and the other had fully integrated each process. However, most regional\n            program personnel continue to struggle with how FMFIA relates to the NPM\n            process. OCFO said this confusion derives largely from an acknowledged lack of\n            familiarity with FMFIA terms and framework, and OCFO is striving to improve\n            understanding.\n\n            Staff stated they had not considered the NPM guidance as a tool to identify\n            program vulnerabilities. However, OCFO believes the NPM process is the\n            primary control for program management. We agree and note the following\n            elements of the NPM process relevant to FMFIA:\n\n               \xe2\x80\xa2\t Final NPM guidance from the national program offices contains\n                   information that could be included in the FMFIA Midyear Status Report to\n                   the Administrator.\n               \xe2\x80\xa2 \t Information published in national program offices\xe2\x80\x99 midyear reports on\n                   commitments could be considered for input from the lead regional\n                   coordinators to NPMs for FMFIA assurance letters.\n               \xe2\x80\xa2 \t Managers\xe2\x80\x99 discussions of program priorities, vulnerabilities, and other\n                   issues during the NPM process include issues that offices should assess for\n                   internal control deficiencies and, if necessary, report in FMFIA assurance\n                   letters. We noted two such examples: (1) a national water division\n                   directors meeting in October 2009 addressed water quality monitoring,\n                   new administration priorities, the Urban Waters Initiative, and surface\n                   mining operations; and (2) OCSPP division directors discussed with us\n                   significant management issues such as the Toxic Substances Control Act\n                   and requirements for polychlorinated biphenyls in caulk.\n\n\n\n\n11-P-0067                                                                                 8\n\x0cRegional Personnel Unclear on Assurance Letter Content\n                 By not linking the FMFIA and NPM processes, regional personnel remain unclear\n                 as to how to report certain issues in assurance letters. For example, our review of\n                 FY 2009 regional FMFIA assurance letters found inconsistencies in how regional\n                 personnel reported geographic initiatives. Geographic initiatives are programs or\n                 activities unique to a particular EPA region (e.g., the Chesapeake Bay and the\n                 Great Lakes programs are tasked with protecting and restoring large aquatic\n                 ecosystems). OCFO said that reporting responsibilities on geographic initiatives\n                 varies by NPM. Of the four regions\xe2\x80\x99 assurance letters we reviewed, we found that:\n\n                     \xe2\x80\xa2\t Region 3 briefly mentioned the Chesapeake Bay.\n                     \xe2\x80\xa2\t The Great Lakes National Program Office issued its own assurance letter\n                        through Region 5\xe2\x80\x99s annual FMFIA process.\n                     \xe2\x80\xa2\t Regions 6 and 9 did not mention initiatives within their purview: the Gulf\n                        of Mexico, United States-Mexico Border Water Quality, or the Pacific\n                        Islands Waters.\n\n                 As we reported in 2009,2 because OCFO previously focused FMFIA primarily on\n                 financial and administrative activities, staff were confused about FMFIA roles\n                 and reporting. Beginning in FY 2009, OCFO expanded EPA\xe2\x80\x99s FMFIA reporting\n                 from strictly financial and administrative activities to include program operations\n                 and, in FY 2010, clarified regional and national program roles and\n                 responsibilities. During this transition, regional offices remain confused as to\n                 what to report on and how. Regional comptrollers noted improvements in this\n                 year\xe2\x80\x99s OCFO guidance, but said that program personnel remain unclear on their\n                 FMFIA responsibilities.\n\n                 OCFO should require NPMs to summarize national program issues in their\n                 assurance letters, including information NPMs obtain on regional program\n                 implementation and performance. Regional FMFIA assurance letters would then\n                 focus on administrative and financial internal control activities. OCFO has also\n                 historically administered the FMFIA and NPM processes separately and has only\n                 recently viewed the two as complementary. Program offices and regional\n                 personnel have considered the NPM process a separate task distinct from FMFIA,\n                 even though many NPM process activities support FMFIA.\n\n                 Both the Administrator and Chief Financial Officer have issued statements on\n                 how EPA should view the management integrity process as a year-long process\n                 instead of a once-yearly exercise to complete assurance letters. In her February 2,\n                 2010, memorandum, the Administrator stated that to improve management\n                 integrity for FY 2010, everyone involved should view it as a year-long process\xe2\x80\x94a\n\n2\n We issued two reports on the administrative focus of FMFIA guidance and the confusion regional and program\noffice personnel had with FMFIA requirements: EPA Should Use FMFIA to Improve Programmatic Operations,\nReport No. 09-P-0203, August 6, 2009; and EPA\'s Office of Research and Development Could Better Use the\nFederal Managers\' Financial Integrity Act to Improve Operations, Report No. 09-P-0232, September 15, 2009.\n\n\n11-P-0067                                                                                                 9\n\x0c                  significant departure from how EPA has traditionally carried out management\n                  integrity activities. Lastly, the Agency has committed to adopting a \xe2\x80\x9cOneEPA\xe2\x80\x9d\n                  approach to accomplishing its environmental protection mission.3 By making\n                  NPMs responsible for internal controls and FMFIA reporting for national\n                  programs (working through Lead Regional Coordinators to do so), the Agency\n                  would support OneEPA and foster more communication between regional\n                  personnel and NPMs.\n\nConclusion\n                  EPA would increase its ability to maximize its resources, achieve its\n                  commitments, and meet its goals by clarifying links between the NPM and\n                  FMFIA processes. Separate activities and reporting related to the FMFIA and\n                  NPM processes potentially result in duplicative activities under each. NPMs\n                  already conduct many of the activities related to FMFIA in the NPM process, yet\n                  national program offices have separate processes and staff responsible for each\n                  process. Having NPMs primarily responsible for reporting on internal controls\n                  over national programs would streamline reporting and lessen confusion among\n                  staff involved in both the NPM and FMFIA processes.\n\nRecommendations\n                  We recommend that the Chief Financial Officer:\n\n                           2-1\t     Assign NPMs primary responsibility for FMFIA reporting on\n                                    internal controls for national programs and rely on the lead\n                                    regional coordinator process for input from the regions.\n\n                           2-2\t     Direct regional personnel to report on administrative and financial\n                                    internal control activities along with unique geographic and\n                                    programmatic issues in regional assurance letters.\n\nAgency Comments and OIG Evaluation\n                  In recommendation 2-1 of our draft report, we stated that OCFO should \xe2\x80\x9cUse\n                  existing activities under the NPM guidance process to require that NPMs in National\n                  Program Offices complete FMFIA reporting on program performance, risks, and\n                  emerging issues (including those related to regional program performance and/or\n                  feedback NPMs receive from regional program implementers).\xe2\x80\x9d In its response,\n                  OCFO suggested that we revise the recommendation to \xe2\x80\x9crequire NPMs to address\n                  in their NPM Guidance, as appropriate, the vulnerabilities and weaknesses\n                  identified through their FMFIA responsibilities.\xe2\x80\x9d We disagreed with OCFO\xe2\x80\x99s\n                  suggested revision to recommendation 2-1 because it did not incorporate using the\n\n3\n  As described in EPA\xe2\x80\x99s Open Government Plan, the \xe2\x80\x9cOneEPA\xe2\x80\x9d tool is in place to promote transparency by\ninitiating discussion, capturing suggestions, and collecting reactions both within the Agency and from the public.\n\n\n11-P-0067                                                                                                        10\n\x0c            NPM framework along with the lead regional coordinator process. National\n            program offices should integrate evaluating internal controls into all program\n            management activities using these processes. After reviewing OCFO\xe2\x80\x99s response,\n            we clarified our report to focus on the entire NPM framework (i.e., developing\n            program priorities, strategies, and performance commitments linked to strategic\n            and budget planning), rather than specific annual NPM guidance documents. We\n            met with OCFO on December 15, 2010, and agreed upon the current\n            recommendation. We also discussed OCFO\xe2\x80\x99s planned corrective actions and\n            milestone dates, such as connecting FMFIA and the NPM processes in its\n            FY 2012 NPM guidance and upcoming FY 2011 FMFIA guidance. OCFO\xe2\x80\x99s\n            planned FY 2011 FMFIA guidance will reinforce the role of NPMs and the lead\n            regional coordinator process.\n\n            On recommendation 2-2, OCFO responded that it should continue to direct\n            regions to address regional aspects of key national programs to ensure Regional\n            Administrator-level accountability. We agree and discussed this with OCFO on\n            December 15, 2010, and added text to recommendation 2-2.\n\n            We believe our recommendations will provide national program offices a more\n            unified perspective and a means to gauge program priorities, weaknesses, and\n            emerging areas across all regions. This approach will also ensure regional\n            accountability on unique geographic and programmatic issues. OCFO will verify\n            its planned corrective actions to address recommendations 2-1 and 2-2 in FY 2011\n            program compliance reviews. We believe OCFO\xe2\x80\x99s planned corrective actions\n            address the intent of our recommendations. Appendix B includes OCFO\xe2\x80\x99s full\n            response.\n\n\n\n\n11-P-0067                                                                                11\n\x0c                                    Chapter 3\n\n            Risk Assessment Internal Control Standard\n              NPMs assess and evaluate relevant risks associated with achieving their program\n              objectives through communication within the national program offices and with\n              regional personnel and other stakeholders. However, offices have not linked these\n              activities to internal control requirements. FMFIA requires managers to define\n              program goals and identify key programs, complete a risk assessment based on\n              their priorities, and then establish controls to mitigate identified program risks.\n              National program offices and regional personnel do not appear to completely\n              understand the risk assessment internal control standard and how to apply it to\n              program operations. Additional training on risk assessment, including how to\n              identify weaknesses, determining how to manage risks, and how to conduct\n              necessary internal control reviews, should improve program management.\n\nRisk Assessments Not Informing Program Reviews\n              Risk assessment\xe2\x80\x94a fundamental element in internal control\xe2\x80\x94identifies and\n              analyzes risks that might impede the achievement of organizational goals, such as\n              goals defined in strategic and annual performance plans developed under GPRA.\n              Agencies should analyze identified risks for their potential effect or impact and\n              implement controls to minimize or eliminate the risks to achieve the internal\n              control objectives of efficient and effective operations.\n\n              OCFO\xe2\x80\x99s FY 2010 FMFIA guidance requires all EPA programs to identify key\n              programs and develop program review strategies that list and rank potential risks\n              and related internal controls. The guidance also requires that all EPA programs\n              prepare schedules, or multiyear plans, describing when offices plan to review\n              internal controls for program operations. OCFO\xe2\x80\x99s FY 2009 FMFIA guidance\n              required all EPA programs to develop a multiyear review strategy (similar to the\n              FY 2010 multiyear plan) and complete a checklist based on GAO\xe2\x80\x99s Standards for\n              Internal Control in the Federal Government that includes risk assessment.\n\n              We found that not all national program offices and regions within our scope\n              conduct risk assessments in accordance with GAO\xe2\x80\x99s standards. Of the six\n              FY 2009 assurance letters we reviewed, only OW reported that it conducted a risk\n              assessment and used it to determine program reviews. Our interviews confirmed\n              that in the course of program management activities and coordinating with\n              regional personnel and other stakeholders, offices perform elements of risk\n              assessments. Offices we reviewed do not, however, analyze risks for potential\n              effects or impacts on the Agency, do not consider those assessments in the context\n              of internal controls, and do not incorporate activities into FMFIA. While OCFO\n              has taken steps to include programmatic operations in FMFIA reporting, Agency\n\n\n\n11-P-0067                                                                                    12\n\x0c                  personnel need training on internal control standards and terminology, and ways\n                  to connect FMFIA to their program-level tasks and accomplishments. OCFO is\n                  developing training but does not expect it to be ready until the FY 2011\n                  management integrity reporting period.\n\n                  OCFO\xe2\x80\x99s FY 2010 FMFIA program guidance instructs offices to prepare program\n                  review strategies that list and rank risks and vulnerabilities. OCFO assumes that\n                  offices conducted risk assessments prior to completing program review strategies\n                  so that risk information could be included. Offices have begun submitting\n                  FY 2010 program review strategies, but our analysis of eight strategies indicates\n                  that completing a strategy itself does not meet the intent of GAO\xe2\x80\x99s standards. The\n                  Agency cannot ensure that offices assess and analyze internal and external risks\n                  simply because they submitted program review strategies, as shown in table 3.\n\nTable 3: Program review strategy limitations in addressing risk assessment\n OCFO\xe2\x80\x99s FY 2010 FMFIA guidance requires that program review strategies list and rank potential\n risks and related internal controls.\n\n   OIG          All eight OW and OCSPP strategies that were available by August 2010 identified and\n comment        ranked at least one risk, but did not include any risk analysis. For example, in OW\xe2\x80\x99s\n                biosolids strategy, the risk of "insufficient monitoring data" does not have attendant control\n                activities, monitoring, and information/communication relative to that specific risk. Instead,\n                the strategy includes a random collection of material (e.g., one information/communication\n                entry is to make its website more user friendly, but it is not clear what risk that addresses).\n                OW\xe2\x80\x99s biosolids strategy also includes a potential major risk related to the lack of exposure\n                and toxicity data, but no apparent control activity to address that risk.\n\n Risk analysis generally includes estimating the risk\xe2\x80\x99s significance, assessing the likelihood of its\n occurrence, and deciding how to manage the risk and what actions to take.\n\n   OIG    OCSPP has not completed a risk assessment. Instead, OCSPP senior managers met to\n comment\t discuss and prioritize key risks to include in their program review strategies, half of which\n          were administrative. OCSPP did not include backlogged chemical assessments under the\n                                                              a             b\n          Toxic Substances Control Act even though GAO and our office identified the backlog as a\n          major management challenge for EPA.\n\n                OW completed and included a risk assessment in its FY 2009 assurance letter, and its\n                FY 2010 program review strategy included reviews that were already planned as a result of\n                its risk assessment (i.e., ongoing reviews). One regional management integrity advisor said\n                that regional water managers did not understand why OW selected the areas included in its\n                strategy.\nSource: OIG analysis of a sample of submitted FY 2010 program review strategies.\n        a\n            GAO, Environmental Protection Agency Major Management Challenges, GAO 09-434, March 4, 2009.\n        b\n            EPA OIG, EPA\xe2\x80\x99s Fiscal Year 2010 Key Management Challenges, May 11, 2010.\n\n                  These examples indicate that national program offices and regional personnel do\n                  not fully understand FMFIA and risk assessment. This confusion stems from how\n                  to apply internal control risk assessment to program management. Many EPA\n                  personnel understand risk assessment as a scientific term used to assess risks to\n                  human health and the environment. For example, one program office\xe2\x80\x99s review\n\n\n11-P-0067                                                                                                   13\n\x0c            strategy identified as a program risk that \xe2\x80\x9chuman health and the environment may\n            no longer be protective\xe2\x80\x9d\xe2\x80\x94a risk in a scientific sense. However, GAO\xe2\x80\x99s Standards\n            for Internal Control in the Federal Government defines internal control risk as\n            barriers that might inhibit a program from achieving its objectives. In this case,\n            protecting human health and the environment is the program objective, and the\n            office did not identify internal control risks that prevent the program from\n            achieving this objective. Offices also appear to not understand how to apply risk\n            assessment to program operations because they have not connected internal\n            control risk assessment and the NPM process. OCFO said it is providing more\n            guidance and training on risk.\n\n            Managers and staff we spoke with described a \xe2\x80\x9clanguage barrier\xe2\x80\x9d between what\n            program staff understands about FMFIA and what management integrity staff\n            understands about programmatic operations. While OCFO has taken steps to\n            include programmatic operations in FMFIA guidance, Agency personnel need\n            training on internal control standards and terminology, and ways to connect\n            FMFIA to their program-level tasks and accomplishments. OCFO believes that\n            offices conduct risk assessments and establish controls but do not identify them in\n            FMFIA terms, and OCFO said it is working to address this language barrier.\n            Offices could benefit from OCFO posting on its intranet tools such as the five-\n            page overview of risk assessment (including step-by-step instructions and\n            definitions) included in the contractor\xe2\x80\x99s report on program compliance reviews\n            (dated January 15, 2010) and highlighting on its intranet completed products\n            (such as OW\xe2\x80\x99s risk assessment) that other offices could use as examples. OCFO is\n            developing training on GAO\xe2\x80\x99s standards and how to incorporate FMFIA into\n            daily program operations, and expects it to be ready for the FY 2011 management\n            integrity reporting period.\n\n            In a February 5, 2010, memorandum to all EPA Assistant and Regional\n            Administrators, EPA\xe2\x80\x99s Chief Financial Officer said that without adequate and\n            effective internal controls integral to day-to-day activities, the Agency jeopardizes\n            its mission by placing at risk the resources and authority entrusted to it to protect\n            the nation\xe2\x80\x99s environment and health.\n\nConclusion\n            Without conducting risk assessments consistent with GAO\xe2\x80\x99s Standards for\n            Internal Control in the Federal Government, EPA cannot ensure it has\n            appropriate internal controls in place or that programs operate effectively and\n            efficiently. Additionally, EPA has not incorporated FMFIA into day-to-day\n            activities, which limits how well offices identify and address program risks.\n            Moreover, without adequate training, the learning curve for program staff on\n            FMFIA and, conversely, for management integrity staff on environmental\n            programs, could take time and resources from other Agency priorities.\n\n\n\n\n11-P-0067                                                                                     14\n\x0cRecommendations\n            We recommend that the Chief Financial Officer:\n\n                   3-1    Develop a training course on FMFIA that describes:\n                             a. what internal control standards are, including definitions\n                                and terminology;\n                             b. how management integrity relates to program operations;\n                                and\n                             c. how to conduct risk assessments.\n\n                   3-2    Enhance its management integrity intranet site by providing links\n                          to risk assessment guidance and completed products (such as risk\n                          assessments and program review strategies) that offices could use\n                          as best practices or examples when completing their own products.\n\nAgency Comments and OIG Evaluation\n            OCFO concurred with recommendations 3-1 and 3-2 and expects to complete\n            activities to address each recommendation in FY 2011. For example, OCFO\n            sought and applied our feedback on FMFIA training (per recommendation 3-1)\n            for management integrity advisors in June 2010. We concur with OCFO\xe2\x80\x99s\n            planned actions to address these recommendations. Appendix B includes OCFO\xe2\x80\x99s\n            full response.\n\n\n\n\n11-P-0067                                                                               15\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                            POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                          BENEFITS (in $000s)\n\n                                                                                                                Planned\n    Rec.    Page                                                                                               Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1      Action Official           Date      Amount      Amount\n\n    2-1       10    Assign NPMs primary responsibility for FMFIA             O       Chief Financial Officer\n                    reporting on internal controls for national programs\n                    and rely on the lead regional coordinator process\n                    for input from the regions.\n\n    2-2       10    Direct regional personnel to report on                   O       Chief Financial Officer\n                    administrative and financial internal control\n                    activities along with unique geographic and\n                    programmatic issues in regional assurance letters.\n\n    3-1       15    Develop a training course on FMFIA that describes:       O       Chief Financial Officer    09/30/11\n                          a. what internal control standards are,\n                             including definitions and terminology;\n                          b. how management integrity relates to\n                             program operations; and\n                          c. how to conduct risk assessments.\n\n    3-2       15    Enhance its management integrity intranet site by        O       Chief Financial Officer    09/30/11\n                    providing links to risk assessment guidance and\n                    completed products (such as risk assessments and\n                    program review strategies) that offices could use\n                    as best practices or examples when completing\n                    their own products.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n11-P-0067                                                                                                                                   16\n\x0c                                                                                   Appendix A\n\n                 Details on Scope and Methodology\n\nWe conducted our review to determine whether EPA links the FMFIA process with the NPM\nprocess. We also reviewed whether NPMs and regional personnel coordinate program\nmanagement to address program risks and vulnerabilities. We chose two program offices for our\nreview: OW and OCSPP. OW is one of EPA\xe2\x80\x99s largest program offices, has the largest budget,\nand interacts extensively with regional personnel. OCSPP represents a contrast to OW as it is a\nsmaller office with a smaller budget. Further, because OCSPP is more headquarters focused, it\ninteracts differently with the regional personnel. We also selected two regions for review:\nRegions 5 and 9. Region 5 is EPA\xe2\x80\x99s largest regional office and has the largest budget. Region 9\nis a midsized office with a midsized budget, and its staff played a significant role in the\ndevelopment of EPA\xe2\x80\x99s management integrity policy. Regions 5 and 9 both include states that\nhave significant water and pollution concerns. We also reviewed Regions 3 and 6 because they\nhouse, respectively, the OW and OCSPP lead regional coordinators.\n\nTo address our objectives, we did the following:\n\n       \xe2\x80\xa2\t Reviewed and summarized relevant laws, regulations, policies, and guidance on the\n          management integrity (FMFIA) and the NPM processes.\n\n       \xe2\x80\xa2\t Flowcharted the FMFIA and NPM process timelines to identify potential linkage\n          points and areas of efficiency.\n\n       \xe2\x80\xa2\t Analyzed information from the Office of Regional Operations (which oversees the\n          lead regional coordinator process), OCFO, OW, OCSPP, Regions 5 and 9, and\n          management integrity advisors for all offices in our scope\n\n       \xe2\x80\xa2\t Gathered and analyzed information from lead regional coordinators for OW and\n          OCSPP, located in Regions 3 and 6 respectively, to understand the lead region\n          process and its role in management integrity reporting.\n\n       \xe2\x80\xa2\t Conducted a literature search to review previous related audits and reports.\n\n       \xe2\x80\xa2\t Reviewed OCFO\xe2\x80\x99s FMFIA guidance for FYs 2008, 2009, and 2010.\n\n       \xe2\x80\xa2\t Participated in OCFO conference calls and interviewed OCFO staff to discuss the\n          FMFIA process and the FY 2010 requirement on program review strategies.\n\n       \xe2\x80\xa2\t Reviewed assurance letters for OW, OCSPP, and Regions 5 and 9 for FYs 2008 and\n          2009, and compared reporting between the headquarters program offices and regions.\n          We also reviewed assurance letters for Regions 3 and 6. Our assurance letter reviews\n\n\n\n11-P-0067                                                                                   17\n\x0c            focused on program operations, as well as whether letters included evidence of\n            completed internal control risk assessments.\n\n       \xe2\x80\xa2\t Reviewed OW and OCSPP program review strategies, which OCFO required as part\n          of the FY 2010 FMFIA process.\n\n       \xe2\x80\xa2\t Reviewed OCFO\xe2\x80\x99s Technical Guidance on FY 2010 National Program Manager\n          Guidance and Annual Commitment Process in Measures Central, as well as OW and\n          OCSPP NPM guidance for FYs 2008, 2009, and 2010.\n\n       \xe2\x80\xa2\t Conducted interviews with NPM and regional planners, regional comptrollers, office\n          directors, and other program and regional staff to understand, document, and analyze\n          the FMFIA process, the NPM process, and coordination between national program\n          offices and regional personnel. These interviews included briefings with NPMs from\n          OW and OCSPP, who explained processes they use to develop annual NPM guidance\n          documents and stakeholders with whom they coordinate on performance targets.\n\nIn FY 2009, OCFO hired Industrial Economics, Inc., to assess the effectiveness of EPA\xe2\x80\x99s\nmanagement integrity program and to identify how EPA program and regional offices can\nimprove FMFIA implementation. We reviewed Industrial Economics, Inc.\xe2\x80\x99s, final report, dated\nJanuary 15, 2010, as it included offices in our project scope as well as recommendations to\nOCFO that were similar to those resulting from our own interviews with Agency personnel.\n\nPrior Audit Coverage\nThe OIG reviewed the Agency\xe2\x80\x99s FMFIA implementation in two reports issued in 2009:\n\n       \xe2\x80\xa2\t In EPA Should Use FMFIA to Improve Programmatic Operations, Report\n          No. 09-P-0203, issued August 6, 2009, we determined whether EPA offices\n          integrated internal control standards under FMFIA into their programmatic\n          operations. We also determined whether EPA offices use available GAO guidance to\n          develop and monitor their internal controls. We found that because OCFO did not\n          require\xe2\x80\x94and program and regional offices did not evaluate and report on\xe2\x80\x94\n          compliance with GAO\xe2\x80\x99s standards in FY 2008, EPA risked not fully complying with\n          FMFIA. We also observed that the FMFIA process emphasized administrative and\n          financial reporting over programmatic performance. We made five recommendations\n          and are monitoring corrective actions OCFO has undertaken to address all\n          recommendations.\n\n       \xe2\x80\xa2\t In EPA\xe2\x80\x99s Office of Research and Development Could Better Use the Federal\n          Managers\xe2\x80\x99 Financial Integrity Act to Improve Operations, Report No. 09-P-0232,\n          issued September 15, 2009, we determined whether the Office of Research and\n          Development had a systematic strategy to establish, review, and monitor internal\n          controls. We also determined what the Office of Research and Development\xe2\x80\x99s\n          internal control strategy should contain to account for risks in meeting program goals.\n          We found that the Office of Research and Development has several opportunities for\n\n\n11-P-0067                                                                                    18\n\x0c            improving the accountability and effectiveness of federal programs and operations to\n            better accomplish FMFIA as intended. We made three recommendations and are\n            monitoring corrective actions the Office of Research and Development has\n            undertaken to address all recommendations.\n\n\n\n\n11-P-0067                                                                                    19\n\x0c                                                                                   Appendix B\n\n                  Agency Response to Draft Report\n                                     November 19, 2010\n\nMEMORANDUM\n\nSUBJECT:      Response to draft Audit Report EPA Should Further Integrate National Program\n              Manager Guidance with Federal Guidance on Internal Control Risks\n              (Project No. OA-FY09-1003)\n\nFROM:         Barbara J. Bennett //s//\n              Chief Financial Officer\n\nTO:           Melissa M. Heist\n              Assistant Inspector General for Audit\n\n       We appreciate the opportunity to respond to the draft Audit Report cited above.\nThroughout this review OIG has kept OCFO involved and informed, and we believe this has\nbeen very constructive. In particular, thank you for taking time to discuss this report with OPAA\nmanagers on November 17. I would like to provide several general comments on the conclusions\nand recommendations presented in this draft audit report. In addition, I have asked Kathy\nO\xe2\x80\x99Brien to send you a copy of the report annotated with our more detailed comments on specific\nstatements. We appreciate your consideration of our comments and suggestions.\n\nOverall Comments \xe2\x80\x93 Link Between NPM Guidance and FMFIA\n\n        As you know, OCFO has taken a number of steps over the past year to clarify and\nstrengthen the Agency\xe2\x80\x99s internal controls over programmatic activities, including highlighting\nthe connections between Management Integrity (FMFIA) and processes such as the annual NPM\nguidance. In our technical guidance for both FMFIA and NPM Guidance, we call attention to the\nimportance of identifying program risks and vulnerabilities, including obtaining input through\nthe Lead Region process.\n\n        Our primary concern with this draft audit is the confusion regarding the purpose of NPM\nGuidance and the link between FMFIA and NPM Guidance -- a critical concept central to the\naudit. The primary purpose of NPM Guidance is to operationalize the program priority decisions\nmade in developing the Agency\xe2\x80\x99s Strategic Plan and Annual Plan and Budget, thereby\nsupporting the Agency\xe2\x80\x99s compliance with GPRA. On the other hand, Annual Management\nIntegrity guidance is the primary means to facilitate communication between NPMs and regions\nfor identifying program risks, vulnerabilities, and controls. In this report, you urge OCFO to\nmore fully \xe2\x80\x9cintegrate FMFIA into the NPM Guidance.\xe2\x80\x9d We believe that FMFIA and the NPM\nGuidance, while related, are separate, complementary processes. We do not view FMFIA as\nsomething to be incorporated into the Guidance; on the contrary, we view the NPM Guidance\nprocess as one control or mechanism by which the Agency implements FMFIA.\n\n\n11-P-0067                                                                                    20\n\x0c        We agree with the observation that some staff and managers at the national and regional\nlevels still struggle with relating their day-to-day activities to complying with FMFIA. There are\na number of reasons for this, including lack of familiarity with FMFIA terminology and the\nhistorical view of FMFIA as a financial administrative process. We have made progress and will\ncontinue to address these gaps in understanding through on-site reviews, meetings with staff and\nmanagers, and technical guidance to implement both Management Integrity and the NPM\nprocess. Also, our online Management Integrity Training, to be released in FY 2011, will help\nincrease this understanding.\n\nComments on Recommendations\n\nRecommendation 2-1. Use existing activities under the NPM guidance process to require that NPMs\nin National Program Offices complete FMFIA reporting on program performance, risks, and\nemerging issues (including those related to regional program performance and/or feedback\nNPMs receive from regional program implementers).\n\n      Based on the November 17 discussion, we are suggesting revised language to clarify this\nrecommendation:\n\n       Require NPMs to address in their NPM Guidance, as appropriate, the vulnerabilities and\n       weaknesses identified through their FMFIA responsibilities.\n\n        We believe we have fulfilled the intent of this recommendation. OCFO\xe2\x80\x99s Management\nIntegrity Guidance currently requires that NPMs \xe2\x80\x9ccomplete FMFIA reporting on program\nperformance, risks, and emerging issues.\xe2\x80\x9d Further, OCFO\xe2\x80\x99s guidance to NPMs for developing\ntheir FY 2011 and FY 2012 annual program guidance instructs the NPMs to seek input from\nregions, through the Lead Region process, on program risks, vulnerabilities, and actions to\nmitigate program risks, and to incorporate these, as appropriate, in their annual letters of\nassurance. We believe these steps make the appropriate connection between the two processes\nand, therefore, address this recommendation.\n\nRecommendation 2-2 Direct regional personnel to report on administrative and financial\ninternal control activities in regional assurance letters.\n\n       OCFO requires this reporting now, and also requires that regions discuss their internal\ncontrols as implementers of national programs.\n\n        We agree that NPMs have responsibility for identifying and mitigating risks that threaten\nprograms at a national level. Through the Lead Region process, NPMs receive regions\xe2\x80\x99\nperspectives on national program risks. We continue to maintain, however, that regions have\nclear roles for implementing national programs in their regions and, in certain cases,\nimplementation responsibilities specific to a region (e.g., a number of geographical initiatives).\nOCFO believes we should continue to direct regions to address regional aspects of key national\nprograms in their internal control assessments, in addition to administrative and financial\ncontrols. All relevant activities should be addressed in regions\xe2\x80\x99 assurance letters.\n\n\n\n11-P-0067                                                                                      21\n\x0cRecommendation 3-1 Develop a training course on FMFIA that describes (a) what internal\ncontrol standards are, including definitions and terminology; (b) how management integrity\nrelates to program operations; and (c) how to conduct risk assessments.\n\nRecommendation 3-2 Enhance its management integrity intranet site by providing links to risk\nassessment guidance and completed products (such as risk assessments and program review\nstrategies) that offices could use as best practices or examples when completing their own\nproducts.\n\n       We agree in general that risk is a subject needing further clarification for Agency staff\nunfamiliar with its application in FMFIA.\n\n        OCFO\xe2\x80\x99s online training for management integrity advisors and Agency managers\n(currently in development) will address the topics enumerated in the recommendation, including\nrisk. These courses will be available to MIAs, managers, and all Agency employees in FY 2011.\nWe may determine that supplemental training in some areas, such as risk assessment, may be\nwarranted after an evaluation of the initial training offerings.\n\n        OCFO is in the process of reorganizing, updating, and enhancing its Management\nIntegrity website with links to guidance, policy, and tools on risk assessment. This work will be\ncompleted in FY 2011. In addition, some of these aids/links are embedded in OCFO\xe2\x80\x99s online\ntraining for the convenience of MIAs and managers.\n\n         In summary, I believe that OCFO is already taking actions to address the intent of these\nfour recommendations to strengthen the Agency\xe2\x80\x99s FMFIA program and to integrate the NPM\nGuidance with FMFIA, and I would like to close this audit as expeditiously as possible. I\nappreciate your consideration of our comments on the draft Audit Report. Please contact Debbie\nRutherford (202-564-1913), Director of OCFO\xe2\x80\x99s Accountability Staff, to discuss these comments\nfurther.\n\ncc: \t   Patrick Gilbride, OIG\n        Maryann Froehlich\n        Joshua Baylson\n        Kathy O\xe2\x80\x99Brien\n        Stefan Silzer\n\n\n\n\n11-P-0067                                                                                      22\n\x0c                                                                                 Appendix C\n\n                                    Distribution\nOffice of the Administrator\nChief Financial Officer\nDirector, Office of Regional Operations\nAssistant Administrator, Office of Water\nAssistant Administrator, Office of Chemical Safety and Pollution Prevention\nRegional Administrator, EPA Region 5\nRegional Administrator, EPA Region 9\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Followup Coordinator, Office of the Chief Financial Officer\nAudit Followup Coordinator, Office of Water\nAudit Followup Coordinator, Office of Chemical Safety and Pollution Prevention\nAudit Followup Coordinator, EPA Region 5\nAudit Followup Coordinator, EPA Region 9\n\n\n\n\n11-P-0067                                                                               23\n\x0c'